Multiple integer signedness errors in factory.cc in Google V8 before r3560, as used in Google Chrome before 4.0.249.89, allow remote attackers to execute arbitrary code in the Chrome sandbox via crafted use of JavaScript arrays.
code.google.com/p/chromium/issues/detail?id=31009
code.google.com/p/v8/source/detail?r=3560
codereview.chromium.org/525064
googlechromereleases.blogspot.com/2010/02/stable-channel-update.html
secunia.com/advisories/38545
securitytracker.com/id?1023583
sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs
www.osvdb.org/62316
www.securityfocus.com/bid/38177
www.vupen.com/english/advisories/2010/0361
exchange.xforce.ibmcloud.com/vulnerabilities/56213
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14222